Before migration
- ✓Identify broken inheritance, unique permissions, direct user grants, external users, anonymous links, orphaned owners, and sensitive libraries.
- ✓Replace direct grants with Microsoft 365 groups or security groups where practical.
- ✓Confirm site owners and business approvers before permission changes.
- ✓Document intentional exceptions instead of assuming every legacy permission should be preserved.
During migration
- ✓Validate source-to-target permission mapping on pilot sites before using it in production waves.
- ✓Flag high-risk sharing links, unmanaged guests, folder-level grants, and external access for owner review.
- ✓Test with real users from multiple roles, not only site collection administrators.
- ✓Keep a log of access decisions that were changed during migration so support teams can answer user questions.
After migration
- ✓Review access with site owners and confirm that business-critical users can work without over-broad permissions.
- ✓Apply sharing defaults, sensitivity labels, retention policies, audit logging, and governance controls.
- ✓Set recurring permission review cadence for high-value sites, external collaboration spaces, and regulated content.
- ✓Close migration waves only after access validation and owner signoff are complete.